V
Virus Guy
Black ops: how HBGary wrote backdoors for the government
Part 2 of 3
===========================================================
12 Monkeys
The 12 Monkeys rootkit was also a contract paid out by General Dynamics;
as one HBGary e-mail noted, the development work could interfere with
Task B, but "if we succeed, we stand to make a great deal of profit on
this."
On April 14, 2009, Hoglund outlined his plans for the new super-rootkit
for Windows XP, which was "unique in that the rootkit is not associated
with any identifiable or enumerable object. This rootkit has no file,
named data structure, device driver, process, thread, or module
associated with it."
How could Hoglund make such a claim? Security tools generally work by
scanning a computer for particular objects - pieces of data that the
operating system uses to keep track of processes, threads, network
connections, and so on. 12 Monkeys simply had nothing to find. "Since no
object is associated with the objectless rootkit, detection will be very
difficult for a security scanner," he wrote. In addition, the rootkit
would encrypt itself to cloak itself further, and hop around in the
computer's memory to make it even harder to find.
As for getting the data off a target machine and back to the rootkit's
buyer, Hoglund had a clever idea: he disguised the outgoing traffic by
sending it only when other outbound Web traffic was being sent. Whenever
a user sat down at a compromised machine and started surfing the Web,
their machine would slip in some extra outgoing data "disguised as
ad-clicks" that would contain a log of all their keystrokes.
While the basic rootkit went for $60,000, HBGary hoped to sell 12
Monkeys for much more: "around $240k."
0-day
The goal of this sort of work is always to create something
undetectable, and there's no better way to be undetectable than by
taking advantage of a security hole that no one else has ever found.
Once vulnerabilities are disclosed, vendors like Microsoft race to patch
them, and they increasingly push those patches to customers via the
Internet. Among hackers, then, the most prized exploits are "0-day"
exploits - exploits for holes for which no patch yet exists.
HBGary kept a stockpile of 0-day exploits. A slide from one of the
company's internal presentations showed that the company had 0-day
exploits for which no patch yet existed - but these 0-day exploits had
not yet even been published. No one knew about them.
The company had exploits "on the shelf" for Windows 2000, Flash, Java,
and more; because they were 0-day attacks, any computer around the world
running these pieces of software could be infiltrated.
One of the unpublished Windows 2000 exploits, for instance, can deliver
a "payload" of any size onto the target machine using a heap exploit.
"The payload has virtually no restrictions" on what it can do, a
document notes, because the exploit secures SYSTEM level access to the
operating system, "the highest user-mode operating system defined level"
available.
These exploits were sold to customers. One email, with the subject
"Juicy Fruit," contains the following list of software:
VMware ESX and ESXi *
Win2K3 Terminal Services
Win2K3 MSRPC
Solaris 10 RPC
Adobe Flash *
Sun Java *
Win2k Professional & Server
XRK Rootkit and Keylogger *
Rootkit 2009 *
The e-mail talks only about "tools," not about 0-day exploits, though
that appears to be what was at issue; the list of software here matches
HBGary's own list of its 0-day exploits. And the asterisk beside some of
the names "means the tool has been sold to another customer on a
non-exclusive basis and can be sold again."
===============================
HBGary's unpublished 0-day exploits:
http://static.arstechnica.com/02-14-2011/o-day-exploits.jpg
===============================
References to Juicy Fruit abound in the leaked e-mails. My colleague
Peter Bright and I have spent days poring through the tens of thousands
of messages; we believe that "Juicy Fruit" is a generic name for a
usable 0-day exploit, and that interest in this Juicy Fruit was high.
"[Name] is interested in the Juicy Fruit you told him about yesterday,"
one e-mail reads. "Next step is I need to give [name] a write up
describing it." That writeup includes the target software, the level of
access gained, the max payload size, and "what does the victim see or
experience."
Aaron Barr, who in late 2009 was brought on board to launch the separate
company HBGary Federal (and who provoked this entire incident by trying
to unmask Anonymous), wrote in one e-mail, "We need to provide info on
12 monkeys and related JF [Juicy Fruit] asap," apparently in reference
to exploits that could be used to infect a system with 12 Monkeys.
HBGary also provided some Juicy Fruit to Xetron, a unit of the massive
defense contractor Northrop Grumman that specialized in, among other
things, "computer assault." Barr wanted to "provide Xetron with some JF
code to be used for demonstrations to their end customers," one e-mail
noted. "Those demonstrations could lead to JF sales or ongoing services
work. There is significant revenue potential doing testing of JF code
acquired elsewhere or adding features for mission specific uses."
As the deal was being worked out, HBGary worked up an agreement to
"provide object code and source code for this specific Juicy Fruit" to
Xetron, though they could not sell the code without paying HBGary. The
code included with this agreement was a "Adobe Macromedia Flash Player
Remote Access Tool," the "HBGary Rootkit Keylogger Platform," and a
"Software Integration Toolkit Module."
The question of who might be interested in these tools largely remains
an unknown - though Barr did request information on HBGary's Juicy Fruit
just after asking for contacts at SOCOM, the US Special Operations
Command.
But HBGary Federal had ideas that went far beyond government rootkits
and encompassed all facets of information warfare. Including, naturally,
cartoons. And Second Life.
Psyops
In mid-2010, HBGary Federal put together a PSYOP (psychological
operations) proposal for SOCOM, which had issued a general call for new
tools and techniques. In the document, the new HBGary Federal team
talked up their past experience as creators of "multiple products
briefed to POTUS [President of the United States], the NSC [National
Security Council], and Congressional Intelligence committees, as well as
senior intelligence and military leaders."
The document focused on cartoons and the Second Life virtual world.
"HBGary personnel have experience creating political cartoons that
leverage current events to seize the target audience's attention and
propagate the desired messages and themes," said the document, noting
that security-cleared cartoonists and 3D modelers had already been lined
up to do the work if the government wanted some help.
Cartoon example of Ahmadinejad with a puppet ayatollah
The cartooning process "starts with gathering customer requirements such
as the target audience, high level messages and themes, intended
publication mediums - Through brainstorming sessions, we develop concept
ideas. Approved concepts are rough sketched in pencil. Approved sketches
are developed into a detailed, color end product that is suitable for
publishing in a variety of mediums."
A sample cartoon, of Iranian President Ahmadinejad manipulating a puppet
Ayatollah, was helpfully included.
The document then went on to explain how the US government could use a
virtual world such as Second Life to propagate specific messages. HBGary
could localize the Second Life client, translating its menu options and
keyboard shortcuts into local dialects, and this localized client could
report "valuable usage metrics, enabling detailed measures of effects."
If you want to know whether your message is getting out, just look at
the statistics of how many people play the game and for how long.
As for the messages themselves, those would appear within the Second
Life world. "HBGary can develop an in-world advertising company,
securing small plots of virtual land in attractive locations, which can
be used to promote themes using billboards, autonomous virtual robots,
audio, video, and 3D presentations," said the document.
They could even make a little money while they're at it, by creating
"original marketable products to generate self-sustaining revenue within
the virtual space as well as promote targeted messaging."
We found no evidence that SOCOM adopted the proposal.
But HBGary Federal's real interest had become social media like Facebook
and Twitter - and how they could be used to explore and then penetrate
secretive networks. And that was exactly what the Air Force wanted to
do.
Fake Facebook friends
In June 2010, the government was expressing real interest in social
networks. The Air Force issued a public request for "persona management
software," which might sound boring until you realize that the
government essentially wanted the ability to have one agent run multiple
social media accounts at once.
It wanted 50 software licenses, each of which could support 10 personas,
"replete with background, history, supporting details, and cyber
presences that are technically, culturally and geographically
consistent."
The software would allow these 50 cyberwarriors to peer at their
monitors all day and manipulate these 10 accounts easily, all "without
fear of being discovered by sophisticated adversaries." The personas
would appear to come from all over the world, the better to infiltrate
jihadist websites and social networks, or perhaps to show up on Facebook
groups and influence public opinion in pro-US directions.
As the cyberwarriors worked away controlling their 10 personas, their
computers would helpfully provide "real-time local information" so that
they could play their roles convincingly.
In addition the Air Force wanted a secure virtual private network that
could mask the IP addresses behind all of this persona traffic. Every
day, each user would get a random IP address to help hide "the existence
of the operation." The network would further mask this persona work by
"traffic mixing, blending the user's traffic with traffic from
multitudes of users from outside the organization. This traffic blending
provides excellent cover and powerful deniability."
This sort of work most interested HBGary Federal's Aaron Barr, who was
carving out a niche for himself as a social media expert. Throughout
late 2010 and early 2011, he spent large chunks of his time attempting
to use Facebook, Twitter, and Internet chat to map the network of Exelon
nuclear plant workers in the US and to research the members of
Anonymous. As money for his company dried up and government contracts
proved hard to come by, Barr turned his social media ideas on pro-union
forces, getting involved in a now-controversial project with two other
security firms.
But e-mails make clear that he mostly wanted to sell this sort of
capability to the government. "We have other customers, mostly on
offense, that are interested in Social Media for other things," he wrote
in August 2010. "The social media stuff seems like low hanging fruit."
How does one use social media and fake "personas" to do anything of
value? An e-mail from Barr on August 22 makes his thinking clear. Barr
ponders "the best way to go about establishing a persona to reach an
objective (in this case ft. belvoir/INSCOM/1st IO)."
The Army's Fort Belvoir, like any secretive institution, might be more
easily penetrated by pretending to be an old friend of a current
employee. "Make your profile swim in a large sea," Barr wrote. "Pick a
big city, big high school, big company. Work your way up and in.
Recreate your history. Start by friending high school people. In my case
I am in the army so after you have amassed enough friends from high
school, then start friending military folks outside of your location,
something that matches the area your in, bootcamp, etc. Lastly start to
friend people from the base, but start low and work your way up. So far
so good."
Once the persona had this network of friends, "I will start doing things
tricky. Try to manipulate conversations, insert communication streams,
etc," said Barr. This sort of social media targeting could also be used
to send your new "friend" documents or files (such as the Al-Qaeda
poison document discussed above) [that] come complete with malware, or
by directing them to specially-crafted websites designed to elicit some
specific piece of information: directed attacks known as "spear
phishing."
But concerns arose about obtaining and using social media data, in part
because sites like Facebook restricted the "scraping" of its user data.
An employee from the link analysis firm Palantir wrote Barr at the end
of August, asking, "Is the idea that we'd want to ingest all of
Facebook's data, or just a targeted subset for a few users of interest?"
The more data that was grabbed from Facebook, the more chance a problem
could arise. The Palantir employee noted that a researcher had used
similar tools to violate Facebook's acceptable use policy on data
scraping, "resulting in a lawsuit when he crawled most of Facebook's
social graph to build some statistics. I'd be worried about doing the
same. (I'd ask him for his Facebook data - he's a fan of Palantir - but
he's already deleted it.)"
Still, the potential usefulness of sites like Facebook was just too
powerful to ignore, acceptable use policy or not.
Part 2 of 3
===========================================================
12 Monkeys
The 12 Monkeys rootkit was also a contract paid out by General Dynamics;
as one HBGary e-mail noted, the development work could interfere with
Task B, but "if we succeed, we stand to make a great deal of profit on
this."
On April 14, 2009, Hoglund outlined his plans for the new super-rootkit
for Windows XP, which was "unique in that the rootkit is not associated
with any identifiable or enumerable object. This rootkit has no file,
named data structure, device driver, process, thread, or module
associated with it."
How could Hoglund make such a claim? Security tools generally work by
scanning a computer for particular objects - pieces of data that the
operating system uses to keep track of processes, threads, network
connections, and so on. 12 Monkeys simply had nothing to find. "Since no
object is associated with the objectless rootkit, detection will be very
difficult for a security scanner," he wrote. In addition, the rootkit
would encrypt itself to cloak itself further, and hop around in the
computer's memory to make it even harder to find.
As for getting the data off a target machine and back to the rootkit's
buyer, Hoglund had a clever idea: he disguised the outgoing traffic by
sending it only when other outbound Web traffic was being sent. Whenever
a user sat down at a compromised machine and started surfing the Web,
their machine would slip in some extra outgoing data "disguised as
ad-clicks" that would contain a log of all their keystrokes.
While the basic rootkit went for $60,000, HBGary hoped to sell 12
Monkeys for much more: "around $240k."
0-day
The goal of this sort of work is always to create something
undetectable, and there's no better way to be undetectable than by
taking advantage of a security hole that no one else has ever found.
Once vulnerabilities are disclosed, vendors like Microsoft race to patch
them, and they increasingly push those patches to customers via the
Internet. Among hackers, then, the most prized exploits are "0-day"
exploits - exploits for holes for which no patch yet exists.
HBGary kept a stockpile of 0-day exploits. A slide from one of the
company's internal presentations showed that the company had 0-day
exploits for which no patch yet existed - but these 0-day exploits had
not yet even been published. No one knew about them.
The company had exploits "on the shelf" for Windows 2000, Flash, Java,
and more; because they were 0-day attacks, any computer around the world
running these pieces of software could be infiltrated.
One of the unpublished Windows 2000 exploits, for instance, can deliver
a "payload" of any size onto the target machine using a heap exploit.
"The payload has virtually no restrictions" on what it can do, a
document notes, because the exploit secures SYSTEM level access to the
operating system, "the highest user-mode operating system defined level"
available.
These exploits were sold to customers. One email, with the subject
"Juicy Fruit," contains the following list of software:
VMware ESX and ESXi *
Win2K3 Terminal Services
Win2K3 MSRPC
Solaris 10 RPC
Adobe Flash *
Sun Java *
Win2k Professional & Server
XRK Rootkit and Keylogger *
Rootkit 2009 *
The e-mail talks only about "tools," not about 0-day exploits, though
that appears to be what was at issue; the list of software here matches
HBGary's own list of its 0-day exploits. And the asterisk beside some of
the names "means the tool has been sold to another customer on a
non-exclusive basis and can be sold again."
===============================
HBGary's unpublished 0-day exploits:
http://static.arstechnica.com/02-14-2011/o-day-exploits.jpg
===============================
References to Juicy Fruit abound in the leaked e-mails. My colleague
Peter Bright and I have spent days poring through the tens of thousands
of messages; we believe that "Juicy Fruit" is a generic name for a
usable 0-day exploit, and that interest in this Juicy Fruit was high.
"[Name] is interested in the Juicy Fruit you told him about yesterday,"
one e-mail reads. "Next step is I need to give [name] a write up
describing it." That writeup includes the target software, the level of
access gained, the max payload size, and "what does the victim see or
experience."
Aaron Barr, who in late 2009 was brought on board to launch the separate
company HBGary Federal (and who provoked this entire incident by trying
to unmask Anonymous), wrote in one e-mail, "We need to provide info on
12 monkeys and related JF [Juicy Fruit] asap," apparently in reference
to exploits that could be used to infect a system with 12 Monkeys.
HBGary also provided some Juicy Fruit to Xetron, a unit of the massive
defense contractor Northrop Grumman that specialized in, among other
things, "computer assault." Barr wanted to "provide Xetron with some JF
code to be used for demonstrations to their end customers," one e-mail
noted. "Those demonstrations could lead to JF sales or ongoing services
work. There is significant revenue potential doing testing of JF code
acquired elsewhere or adding features for mission specific uses."
As the deal was being worked out, HBGary worked up an agreement to
"provide object code and source code for this specific Juicy Fruit" to
Xetron, though they could not sell the code without paying HBGary. The
code included with this agreement was a "Adobe Macromedia Flash Player
Remote Access Tool," the "HBGary Rootkit Keylogger Platform," and a
"Software Integration Toolkit Module."
The question of who might be interested in these tools largely remains
an unknown - though Barr did request information on HBGary's Juicy Fruit
just after asking for contacts at SOCOM, the US Special Operations
Command.
But HBGary Federal had ideas that went far beyond government rootkits
and encompassed all facets of information warfare. Including, naturally,
cartoons. And Second Life.
Psyops
In mid-2010, HBGary Federal put together a PSYOP (psychological
operations) proposal for SOCOM, which had issued a general call for new
tools and techniques. In the document, the new HBGary Federal team
talked up their past experience as creators of "multiple products
briefed to POTUS [President of the United States], the NSC [National
Security Council], and Congressional Intelligence committees, as well as
senior intelligence and military leaders."
The document focused on cartoons and the Second Life virtual world.
"HBGary personnel have experience creating political cartoons that
leverage current events to seize the target audience's attention and
propagate the desired messages and themes," said the document, noting
that security-cleared cartoonists and 3D modelers had already been lined
up to do the work if the government wanted some help.
Cartoon example of Ahmadinejad with a puppet ayatollah
The cartooning process "starts with gathering customer requirements such
as the target audience, high level messages and themes, intended
publication mediums - Through brainstorming sessions, we develop concept
ideas. Approved concepts are rough sketched in pencil. Approved sketches
are developed into a detailed, color end product that is suitable for
publishing in a variety of mediums."
A sample cartoon, of Iranian President Ahmadinejad manipulating a puppet
Ayatollah, was helpfully included.
The document then went on to explain how the US government could use a
virtual world such as Second Life to propagate specific messages. HBGary
could localize the Second Life client, translating its menu options and
keyboard shortcuts into local dialects, and this localized client could
report "valuable usage metrics, enabling detailed measures of effects."
If you want to know whether your message is getting out, just look at
the statistics of how many people play the game and for how long.
As for the messages themselves, those would appear within the Second
Life world. "HBGary can develop an in-world advertising company,
securing small plots of virtual land in attractive locations, which can
be used to promote themes using billboards, autonomous virtual robots,
audio, video, and 3D presentations," said the document.
They could even make a little money while they're at it, by creating
"original marketable products to generate self-sustaining revenue within
the virtual space as well as promote targeted messaging."
We found no evidence that SOCOM adopted the proposal.
But HBGary Federal's real interest had become social media like Facebook
and Twitter - and how they could be used to explore and then penetrate
secretive networks. And that was exactly what the Air Force wanted to
do.
Fake Facebook friends
In June 2010, the government was expressing real interest in social
networks. The Air Force issued a public request for "persona management
software," which might sound boring until you realize that the
government essentially wanted the ability to have one agent run multiple
social media accounts at once.
It wanted 50 software licenses, each of which could support 10 personas,
"replete with background, history, supporting details, and cyber
presences that are technically, culturally and geographically
consistent."
The software would allow these 50 cyberwarriors to peer at their
monitors all day and manipulate these 10 accounts easily, all "without
fear of being discovered by sophisticated adversaries." The personas
would appear to come from all over the world, the better to infiltrate
jihadist websites and social networks, or perhaps to show up on Facebook
groups and influence public opinion in pro-US directions.
As the cyberwarriors worked away controlling their 10 personas, their
computers would helpfully provide "real-time local information" so that
they could play their roles convincingly.
In addition the Air Force wanted a secure virtual private network that
could mask the IP addresses behind all of this persona traffic. Every
day, each user would get a random IP address to help hide "the existence
of the operation." The network would further mask this persona work by
"traffic mixing, blending the user's traffic with traffic from
multitudes of users from outside the organization. This traffic blending
provides excellent cover and powerful deniability."
This sort of work most interested HBGary Federal's Aaron Barr, who was
carving out a niche for himself as a social media expert. Throughout
late 2010 and early 2011, he spent large chunks of his time attempting
to use Facebook, Twitter, and Internet chat to map the network of Exelon
nuclear plant workers in the US and to research the members of
Anonymous. As money for his company dried up and government contracts
proved hard to come by, Barr turned his social media ideas on pro-union
forces, getting involved in a now-controversial project with two other
security firms.
But e-mails make clear that he mostly wanted to sell this sort of
capability to the government. "We have other customers, mostly on
offense, that are interested in Social Media for other things," he wrote
in August 2010. "The social media stuff seems like low hanging fruit."
How does one use social media and fake "personas" to do anything of
value? An e-mail from Barr on August 22 makes his thinking clear. Barr
ponders "the best way to go about establishing a persona to reach an
objective (in this case ft. belvoir/INSCOM/1st IO)."
The Army's Fort Belvoir, like any secretive institution, might be more
easily penetrated by pretending to be an old friend of a current
employee. "Make your profile swim in a large sea," Barr wrote. "Pick a
big city, big high school, big company. Work your way up and in.
Recreate your history. Start by friending high school people. In my case
I am in the army so after you have amassed enough friends from high
school, then start friending military folks outside of your location,
something that matches the area your in, bootcamp, etc. Lastly start to
friend people from the base, but start low and work your way up. So far
so good."
Once the persona had this network of friends, "I will start doing things
tricky. Try to manipulate conversations, insert communication streams,
etc," said Barr. This sort of social media targeting could also be used
to send your new "friend" documents or files (such as the Al-Qaeda
poison document discussed above) [that] come complete with malware, or
by directing them to specially-crafted websites designed to elicit some
specific piece of information: directed attacks known as "spear
phishing."
But concerns arose about obtaining and using social media data, in part
because sites like Facebook restricted the "scraping" of its user data.
An employee from the link analysis firm Palantir wrote Barr at the end
of August, asking, "Is the idea that we'd want to ingest all of
Facebook's data, or just a targeted subset for a few users of interest?"
The more data that was grabbed from Facebook, the more chance a problem
could arise. The Palantir employee noted that a researcher had used
similar tools to violate Facebook's acceptable use policy on data
scraping, "resulting in a lawsuit when he crawled most of Facebook's
social graph to build some statistics. I'd be worried about doing the
same. (I'd ask him for his Facebook data - he's a fan of Palantir - but
he's already deleted it.)"
Still, the potential usefulness of sites like Facebook was just too
powerful to ignore, acceptable use policy or not.